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Manna  &  Waldfnger 
Abstract 


This  paper  explores  a  technique  for  proving  the  correctness  and  termination  of  programs 
simultaneously.  This  approach,  which  we  call  the  intermittent-assertion  method,  involves 
documenting  the  program  with  assertions  that  must  be  true  at  some  time  when  control  passes 
through  the  corresponding  point,  but  that  need  not  be  true  every  time.  The  method, 
introduced  by  Burstall,  promises  to  provide  a  valuable  complement  to  the  more  conventional 
methods. 

We  first  introduce  the  intermittent-assertion  method  with  a  number  of  examples  of  correctness 
and  termination  proofs.  Some  of  these  proofs  are  markedly  simpler  than  their  conventional 
counterparts.  On  the  other  hand,  we  show  that  a  proof  of  correctness  or  termination  by  any  of 
the  conventional  techniques  can  be  rephrased  directly  as  a  proof  using  intermittent  assertions. 
Finally,  we  show  how  the  intermittent-assertion  method  can  be  applied  to  prove  the  validity  of 
program  transformations  and  the  correctness  of  continuously  operating  programs. 
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Manna  &  Waldinger 
I.  Introduction 

The  most  prevalent  approach  to  prove  that  a  program  satisfies  a  given  property  has  been  the 
invariant-assertion  method,  made  known  largely  through  the  work  of  Floyd  [1967]  and  Hoare 
[19691  In  this  method,  the  program  being  studied  is  supplied  with  formal  documentation  in 
the  form  of  comments,  called  invariant  assertions,  which  express  relationships  between  the 
different  variables  manipulated  by  the  program.  Such  an  invariant  assertion  is  attached  to  a 
given  point  in  the  program  with  the  understanding  that  the  assertion  is  to  hold  every  time 
control  passes  through  the  point 

Assuming  that  an  appropriate  invariant  assertion,  called  the  input  specification,  holds  at  the 
start  of  the  program,  the  method  allows  us  to  prove  that  the  other  invariant  assertions  hold  at 
the  corresponding  points  in  the  program.  In  particular,  we  can  prove  that  the  output 
specification ,  the  assertion  associated  with  the  program’s  exit,  will  hold  whenever  control  reaches 
the  exit.  If  this  output  specification  reflects  what  the  program  is  intended  to  achieve,  we  have 
succeeded  in  proving  the  correctness  of  the  program. 

It  is  in  fact  possible  to  prove  that  an  invariant  assertion  holds  at  some  point  even  though 
control  never  reaches  that  point,  since  then  the  assertion  holds  vacuously  every  time  control 
passes  through  the  point  in  question.  In  particular,  using  the  invariant-assertion  method,  one 
might  prove  that  an  output  specification  holds  at  the  exit  even  though  control  never  reaches 
that  exit  If  we  manage  to  prove  that  a  program’s  output  specification  holds,  but  neglect  to  show 
that  the  program  terminates,  we  are  said  to  have  proved  the  program’s  partial  correctness. 

A  separate  proof,  by  a  different  method,  is  required  to  prove  that  the  program  does  terminate. 
Typically,  a  termination  proof  is  conducted  by  choosing  a  well-founded  set ,  one  whose  elements 
are  ordered  in  such  a  way  that  no  infinite  decreasing  sequences  of  elements  exist.  (The 
nonnegative  integers  under  the  regular  greater-than  ordering,  for  example,  constitute  a 
well-founded  set)  For  some  designated  label  within  each  loop  of  the  program  an  expression 
involving  the  variables  of  the  program  is  then  selected  whose  value  always  belongs  to  the 
well-founded  set.  These  expressions  must  be  chosen  so  that  each  time  control  passes  from  one 
designated  loop  label  to  the  next,  the  value  of  the  expression  corresponding  to  the  second  label 
is  smaller  than  the  value  of  the  expression  corresponding  to  the  first  label.  Here,  "smaller" 
means  with  respect  to  the  well-founded  ordering,  the  ordering  of  the  chosen  well-founded  set. 
This  establishes  termination  of  the  program,  because  if  there  were  an  infinite  computation  of 
the  program,  control  would  traverse  an  infinite  sequence  of  designated  loop  labels;  the 
successive  values  of  the  corresponding  expressions  would  constitute  an  infinite  decreasing 
sequence  of  elements  of  the  well-founded  set,  thereby  contradicting  the  defining  property  of  the 
set.  This  well-founded  ordering  method  constitutes  the  conventional  way  of  proving  the 
termination  of  a  program  (Floyd  [1967]). 
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If  a  program  both  terminates  and  satisfies  its  output  specification,  that  program  is  said  to  be 
totally  correct. 

Burstail  [1974]  introduced  a  method  whereby  the  total  correctness  of  a  program  can  be  shown 
in  a  single  proof.  The  approach  had  been  applied  to  specific  programs  earlier,  by  Knuth 
([.1968]  Section  2.3.1)  and  others.  This  technique  again  involves  affixing  comments  to  points  in 
the  program  but  with  the  intention  that  sometime  control  will  pass  through  the  point  and 
satisfy  the  attached  assertion.  Consequently,  control  may  pass  through  a  point  many  times 
without  satisfying  the  assertion,  but  control  must  pass  through  the  point  at  least  once  with  the 
assertion  satisfied;  therefore  we  call  these  comments  intermittent  assertions.  If  we  prove  the 
output  specification  as  an  intermittent  assertion  at  the  program's  exit,  we  have  simultaneously 
shown  that  the  program  must  halt  and  satisfy  the  specification.  This  establishes  the  program’s 
total  correctness.  Since  the  conventional  approach  requires  two  separate  proofs  to  establish  total 
correctness,  the  intermittent-assertion  method  invites  further  attention. 

We  will  use  the  phrase 

sometime  Q  at  L 

to  denote  that  Q  is  an  intermittent  assertion  at  label  L  (that  sometime  control  will  pass  through 
L  with  assertion  Q  satisfied).  If  the  entrance  of  a  program  is  labelled  start  and  its  exit  is 
labelled  finish,  we  can  express  its  total  correctness  with  respect  to  an  input  specification  P  and 
an  output  specification  R  by 

Theorem:  if  sometime  P  at  start 

then  sometime  R  at  finish. 

This  theorem  entails  the  termination  as  well  as  the  partial  correctness  of  the  program,  because  it 
implies  that  control  must  eventually  reach  the  program’s  exit,  and  satisfy  the  desired  output 
specification. 

If  we  are  only  interested  in  whether  the  program  terminates,  but  don’t  care  if  it  satisfies  any 
particular  output  specification,  we  can  try  to  prove 

Theorem:  if  sometime  P  at  start 

then  sometime  at  finish. 

The  conclusion  "sometime  at  finish "  expresses  that  control  must  eventually  reach  the  program’s 
exit,  but  does  not  require  that  any  relation  be  satisfied. 

Generally,  to  prove  the  total  correctness  or  termination  theorem  for  a  program,  we  must  affix 
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intermittent  assertions  to  some  of  the  program’s  internal  points,  and  supply  lemmas  to  relate 
these  assertions.  The  proofs  of  the  lemmas  often  involve  complete  induction  over  a  well-founded 
ordering  (see  Manna  [1974]).  In  proving  such  a  lemma  we  assume  that  the  lemma  holds  for  ail 
elements  of  the  well-founded  set  smaller  (in  the  ordering)  than  a  given  element,  and  show  that 
the  lemma  then  holds  for  the  given  element  as  well. 

The  intermittent-assertion  method  has  begun  to  attract  a  good  deal  of  attention.  Different 
approaches  to  its  formalization  have  been  attempted,  using  predicate  calculus  (Schwarz  [1976]), 
Hoare-style  axiomatization  (Wang  [1976]),  modal  logic  (Pratt  [1976]),  and  the  LUCID 
formalism  (Ashcroft  [1976]).  Topor  [1977]  applied  the  method  to  proving  the  correctness  of  the 
Schorr- Waite  algorithm,  a  complicated  garbage-collecting  scheme. 

In  this  paper,  we  first  present  and  illustrate  the  intermittent-assertion  method  with  a  variety  of 
examples  for  proving  correctness  and  termination.  Some  of  these  proofs  are  markedly  simpler 
than  their  conventional  counterparts.  On  the  other  hand,  we  prove  that  the 
intermittent-assertion  method  is  at  least  as  powerful  as  the  conventional  invariant-assertion 
method  and  the  well-founded  ordering  method,  in  addition  to  the  more  recent 
subgoai-assertion  method  (Manna  [1971],  Morris  and  Wegbreit  [1976])  for  proving  partial 
correctness.  Finally,  we  show  that  the  intermittent-assertion  method  can  also  be  applied  to 
establish  the  validity  of  program  transformations,  and  to  prove  the  correctness  of  continuously 
operating  programs,  programs  that  are  intended  never  to  terminate. 
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II.  The  Intermittent-Assertion  Method:  Examples 

Rather  than  present  a  formal  definition  of  the  intermittent-assertion  method,  we  prefer  to 
illuminate  it  by  means  of  a  sequence  of  examples.  Each  example  has  been  selected  to  illustrate 
a  different  aspect  of  the  method. 

1.  Counting  the  tips  of  a  tree 

Let  us  consider  a  simple  program  as  a  vehicle  for  demonstrating  the  basic  technique.  This  is 
an  algorithm  to  count  the  tips  of  a  binary  tree,  those  nodes  that  have  no  descendants.  A 
recursive  definition  of  a  function  tipsitree)  that  counts  the  tips  of  i  binary  tree  tree  is 

tipsitree)  <»  if  tree  is  a  tip 
then  i 

else  tipsileft(tree))  +  tips{right{tree)), 

where  left{tree)  and  rightitree)  are  the  left  and  right  subtrees  of  tree  respectively. 

An  iterative  program  to  count  the  tips  of  a  binary  tree  tree  is 
input(tr«) 

start:  stack  <-  (tree) 

count  <-  0 

more:  if  stack  «*  (  ) 

then  finish:  outputfamnf) 
else  if  head(stack)  is  a  tip 
then  count  count  *  1 
stack  <-  tail(stack) 
goto  more 

else  first  «-  head(stack) 

stack  leftifirst)  •  [rightifirst)  •  tail(stack )] 
goto  more. 

(This  program  is  similar  to  one  used  by  Burstall  in  his  [1974]  paper.)  We  have  used  the 
notation  ()  to  denote  the  empty  list,  ( x )  to  denote  the  list  whose  sole  element  is  x,  and  x-l  to 
denote  the  list  formed  by  adding  the  element  x  at  the  beginning  of  the  list  l.  [Note  that  ( x )  is 
the  same  as  *•().]  If  the  list  l  is  not  empty,  then  head(l)  is  its  first  element  and  tail(l)  is  the  list 
of  its  remaining  elements. 

This  program  initially  inserts  the  given  tree  as  the  single  element  of  the  stack.  At  each 
iteration,  the  first  element  is  removed  from  the  stack.  If  it  is  a  tip,  the  element  is  counted; 
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otherwise,  its  left  and  right  subtrees  are  inserted  as  the  first  and  second  elements  of  the  stack. 
The  process  terminates  when  the  stack  is  empty;  count  is  then  the  number  of  tips  in  the  given 
tree. 

Using  intermittent  assertions,  we  can  express  the  total  correctness  of  this  program  by  the 
following  theorem 

Theorem:  if  sometime  tree  -  t  at  start 

then  sometime  count  «  tips{t)  at  finish. 

This  theorem  states  the  termination  of  the  program  in  addition  to  its  partial  correctness, 
because  it  implies  that  control  must  eventually  reach  the  program’s  exit,  and  satisfy  the 
appropriate  output  specification. 

In  order  to  apply  the  intermittent-assertion  method,  we  supply  a  lemma  to  describe  the 
behavior  of  the  program’s  loop.  In  this  case  correctness  of  the  program  depends  on  the 
following  property:  if  we  enter  the  loop  with  some  element  t  at  the  head  of  the  stack,  then 
eventually  the  tips  of  t  will  be  counted  and  t  will  be  removed  from  the  stack.  (Note  that  we  may 
need  to  return  to  more  many  times  before  the  lips  of  t  are  counted.)  This  property  is  expressed 
more  precisely  by  the  following  lemma: 

Lemma:  if  sometime  count  •  c  and  stack  -  t-s  at  more 

then  sometime  count  -  c  *  tips(t )  and  stack  -  s  at  more. 

The  hypothesis  count  -  c  in  the  antecedent  allows  us  to  refer  to  the  original  value  of  count  in 
the  consequent,  even  though  the  value  may  have  changed  subsequently. 

It  is  not  difficult  to  see  that  this  lemma  implies  the  theorem.  Suppose 

sometime  tree  »  t  at  start. 

Then,  following  the  computation  specified  by  the  program,  we  set  stack  to  (t),  count  to  0,  and 
reach  more,  so  that 

sometime  count  -  0  and  stack  -  (t)  -  /*  0  at  more. 

The  lemma  then  tells  us,  taking  c  to  be  0  and  s  to  be  (),  that 
sometime  count  «  0  +  tips(t)  and  stack  *>  ()  at  more. 

Because  we  are  at  more  with  stack*Q,  the  computation  proceeds  to  finish,  so  that 
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sometime  count  -  tips(t)  at  finish, 
and  the  theorem  is  thereby  established. 

The  proof  of  the  lemma  is  by  complete  induction  on  the  structure  of  t.  In  other  words,  we 
suppose  the  antecedent  of  the  lemma,  that 

sometime  count  -  c  and  stack  -  t>s  at  more, 

and  we  assume  inductively  that  the  lemma  holds  whenever  count  -  d  and  stack  -  t'»s',  where  d 
is  any  subtree  of  t.  We  will  then  show  the  consequent  of  the  lemma,  that 

sometime  count  «  c  *  tips(t)  and  stack  -  s  at  more. 

The  proof  distinguishes  between  two  cases,  depending  on  whether  or  not  f  is  a  tip. 

Case  t  is  a  tip:  Then  tips(t)  *  1  by  the  recursive  definition  of  tips.  Since  stack  -  t •  s,  it  is 
dearly  not  empty,  but  its  head,  t,  is  a  tip.  The  program  therefore  increases  count  by  1  and 
removes  t  from  the  stack.  Thus, 

sometime  count  *  c  *  1  »  c  +  tips(t)  and  stack  -  s  at  more, 

establishing  the  conclusion  of  the  lemma  in  this  case. 

Case  t  is  not  a  tip.  Then  tips(t)  -  tlps(left(t))  *  tips(right(t)),  by  the  recursive  definition  of  tips. 
Since  t  is  not  a  tip,  we  pass  around  the  else  branch  of  the  loop  this  time:  we  remove  t  from  the 
stack,  break  it  down  into  its  left  and  right  subtrees,  replace  these  on  the  stack  as  its  first  and 
second  elements,  and  return  to  more.  Thus, 

sometime  count  -  c  and  stack  -  left(t)- [ right(t )•  r]  at  more 

We  can  then  apply  the  induction  hypothesis  [taking  d  to  be  c,  t'  to  be  left(t)  and  s'  to  be 
right(t)-  s],  since  left{t)  is  a  subtree  of  t.  The  induction  hypothesis  tells  us  that 

sometime  count  -  c  +  tips(left(t))  and  stack  *»  right(t)'  s  at  more. 

Since  right{t)  is  also  a  subtree  of  t,  we  can  apply  the  induction  hypothesis  again  [taking  d  io  be 
c*tips(left(t)),  t'  to  be  right(t)  and  s'  to  be  r],  yielding 

sometime  count  ■  c  +  tips(left(t))  *  tips(right(t))  and  stack  -  s  at  more. 

In  other  words,  since  tips{t)  »  tips(left(t))  *  tips(right(t)), 
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sometime  count  =  c  +  tips(t)  and  stack  -  s  at  more. 

This  is  the  desired  conclusion  of  the  lemma. 

Note  that  once  the  lemma  was  formulated  and  the  basis  for  the  induction  decided,  the  proofs 
proceeded  in  a  fairly  mechanical  manner.  On  the  other  hand,  choosing  the  lemma  and  the 
basis  for  induction  required  some  ingenuity. 

The  proof  of  the  lemma  called  upon  the  full  power  of  the  intermittent-assertion  method. 
Although  the  recursive  program  that  defines  the  tips  function  can  count  the  tips  of  a  subtree 
with  a  single  recursive  call,  the  iterative  program  may  require  many  traversals  of  the  loop 
before  the  tips  of  a  subtree  are  counted.  The  intermittent-assertion  method  allows  us  to  relate 
the  point  at  which  we  are  about  to  count  the  tips  of  a  subtree  t  with  the  point  at  which  we 
have  completed  the  counting,  and  to  consider  the  many  executions  of  the  body  of  the  loop 
between  these  points  as  a  single  unit,  which  corresponds  naturally  to  a  single  recursive  call  of 
tips(t). 

The  conventional  invariant-assertion  method,  on  the  other  hand,  requires  that  we  identify  a 
condition  that  allows  us  to  relate  the  situation  before  and  after  each  single  execution  of  the 
body  of  the  loop.  There  may  be  no  natural  connection  between  these  two  points;  consequently 
our  invariant-assertion  must  be  exceptionally  complete.  In  this  case,  such  an  assertion  is 

tips{tree)  -  count  *  S  ,  tips{s)  at  more, 
r  s  t  stack 


where  2L  ,  tips{s)  is  the  sum  of  the  tips  of  all  the  elements  of  the  stack  (cf.  London 
s  i  stack  r 

[1975]).  Once  we  know  this  assertion,  the  invariant-assertion  proof  is  also  straightforward. 
However,  to  formulate  the  above  assertion  we  are  required  to  relate  all  the  elements  of  the 
stack,  while  to  understand  the  program  or  to  produce  the  intermittent- assertion  proof  we  only 
needed  to  consider  the  first  element  of  the  stack. 

The  intermittent-assertion  proof  established  termination  at  the  same  time  as  correctness;  to 
prove  termination  by  the  conventional  well-founded  ordering  approach,  we  can  show  that  the 
value  of  the  pair 

(  tips(tree)  -  count  tips(head($tack))  ) 

always  decreases  in  the  lexicographic  ordering  each  time  we  return  to  more.  In  other  words, 
either  the  first  component  tipsitree)  -  count  is  reduced,  or  the  first  component  remains  fixed 
and  the  second  component  tips{head(stack))  is  reduced.  Both  components  remain  nonnegative 
at  all  times.  Although  finding  the  above  pair  requires  a  bit  of  ingenuity,  this  termination  proof 
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is  relatively  straightforward.  In  the  next  section  we  will  see  a  program  for  which  the  simplest 
known  conventional  termination  proof  is  significantly  more  complicated  than  the 
intermittent-assertion  proof  of  total  correctness. 


2.  The  Ackermann  Function 

The  Ackermann  function,  denoted  by  A(x  y),  is  defined  recursively  for  nonnegative  integers  x 
and  y  as 


A  (sc  <■  if  x  -  0 
then  ^+1 
else  if  y  -  0 

then  A(sc-1  1) 
else  A(x-i  A(x  y-l)). 

For  example,  A(1  1)  -  A(0  A(1  0))  -  A(0  A(0  1))  -  A(0  2)  -  3. 

This  function  is  of  theoretical  interest,  in  part  because  its  value  grow  extremely  quickly;  for 
instance. 


A  (4  4)  -  22 


3 


An  iterative  program  to  compute  the  same  function  is 
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input(*0  yQ) 
start:  sfack[l3  +-  x0 
stack[2 3 «-  y0 
index  *~2 

more:  if  index  »  I 

then  finish:  output<sfac£[l3) 
else  if  stack{index-\]  -  0 

then  jrac&[in<kx-l3  <-  stacklindex]*\ 
index  *-  index- 1 
goto  more 

else  if  stackUndex]  -  0 

then  jtacAfimies:- 1 3 «-  stacklindex- 1]- 1 
stackUndex]  «-  1 
goto  more 

else  stack[index*\]  *-  stackUndex]-\ 
stackUndex 3  <-  stackUndex- \] 
stackUndex - 1 3  <-  stackUndex- 1  ]- 1 
index  <-  index*  1 
goto  more. 

This  iterative  program  represents  a  direct  translation  of  the  recursive  definition.  If  at  some 
stage  the  recursive  program  is  computing 


A(s0  A(s}  ~  A(^_j  stU)) , 

then  at  the  corresponding  stage  of  the  iterative  computation 
stack  -  {s0  Si  ...  Jj_j  Jj)  and  index  -  i. 

Using  intermittent  assertions,  we  can  express  the  program’s  total  correctness  by  the 

Theorem:  if  sometime  *0,y0  2  0  at  start 

then  sometime  stackll]  -  A(x0  y0)  at  finish. 

In  proving  this  theorem  we  will  employ  the  following  lemma, 

Lemma:  if  sometime  index  -  i,  i  2  2,  j/acfc[l::-2]  -  ;, 

Jfaci[t-I3  »  a  and  stackUl  -  b  at  more, 
then  sometime  index  ■  t—  1,  stackl l:i-23  -  s 

and  stackU-Y]  -  A  (a  b)  at  more. 
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Here,  s  represents  a  tuple  of  stack  elements.  The  abbreviation  stackl  1  :  £-2]  »  s  will  be  used  to 
denote  that  s  equals  the  tuple  of  elements  {stackl  1]  stackl 2]  ...  stackli- 2]);  this  expression  is 
included  in  the  hypothesis  and  the  conclusion  of  the  lemma  to  convey  that  the  initial  segment 
of  the  array,  the  first  £-2  elements,  are  unchanged  when  we  return  to  more. 

It  is  straightforward  to  see  that  the  lemma  implies  the  theorem.  For  index  is  2,  stackli]  is  x0, 
and  stackl2]  is  y0  the  first  time  we  reach  more.  Then  the  lemma  implies  that  eventually  we  will 
reach  more  again,  with  index- 1  and  JfacAEl]  *  A{x$  y<j).  Since  index  ■  1  we  then  pass  to  finish 
with  the  desired  output 

To  prove  the  lemma  let  us  suppose 

sometime  index  -  i,  i  2  2,  Jfac&[l:£~2]  »  s, 

s£acfc[£-l]  -  a  and  stack[i]  =  6  at  more. 

Our  proof  will  be  by  induction  on  the  pair  (stacklindex-l]  stacklindex!)  under  the 
lexicographic  ordering  over  the  nonnegative  integers;  in  other  words,  we  will  assume  the  lemma 
holds  whenever  stacklindex- 1]  -  a'  and  stacklindex]  -  6’,  where  a '  and  b’  are  any  nonnegative 
integers  such  that  a'  <  a,  or  a’  -  a  and  If  <  b,  and  show  that  it  then  holds  when  stacklindex- l]-a 
and  stacklindex]-b,  i.e. 

sometime  index-i- 1,  stackl  1  :  i-2]-s,  and 
sracA[£-l]-A(a  b)  at  more. 

The  proof  distinguishes  between  three  cases,  corresponding  to  the  conditional  tests  in  the 
recursive  definition  of  the  Ackermann  function. 

Case  a  =  0;  Then  A  (a  b)  =*  6+1  by  the  recursive  definition  of  the  Ackermann  function.  But 
since  index  *  1,  and  stacklindex-l]  -  a  »  0,  we  return  to  more  with  index  -  i- 1  and 
stackli-l]  »  6+1,  satisfying  the  conclusion  of  the  lemma. 

Case  a  >  0,  6-0:  Here,  A  (a  6)  -  A(a-1  1)  by  the  definition  of  the  Ackermann  function. 
Because  index  *  1,  stacklindex-l’]  -  a  *  0  and  stacklindex]  -  6  »  0,  we  return  to  more  with 
index  -  i,  stackli- 1]  =  a- 1,  and  stackli]  -  1.  Since  stackli- 1]  -  a-1  <  a,  we  have 

(stacA[£-l3  rracACt])  -  (a-1  1)  <  (a  0), 

and,  therefore,  the  inductive  hypothesis  can  be  applied  Etaking  a'  to  be  a-1  and  6'  to  be  1],  to 
yield  that 

sometime  index  -  £-1,  stacklH-2]  -  s  and 
;racA[£-l3  -  A(a-1  1)  at  more. 
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Because  A  (a  6)  »  A  (a- 1  f ),  the  lemma  is  established  in  this  case. 

Case  a  >  0,  b  >  0:  Then  A  (a  b)  «  A(a-1  A(fl  6-1)),  by  the  recursive  definition.  Since  index  *  1, 
stacklindex- \]  **  a  *  0,  and  stacklindex 3  »  6  >*  0,  we  return  to  more  with 

index  »  i+1, 
stack[i-\}  -  a-1, 
stackli ]  -  a,  and 
jracAft+13  -  6-1. 

Because  index  -  2+1  and  (sracAtil  jracfc[i+l])  -  (a  6-1)  •<  (a  6),  our  induction  hypothesis  applies 
[taking  a’  to  be  a  and  6'  to  be  6-1],  yielding 

sometime  index  «  t,  sraeA[  lti-23  -  s, 

jtocA[i-l]  *  a-1,  and  stackli)  -  A(a  6-1)  at  more. 

Note  that  we  could  conclude  that  stackli- 13  -  a- 1  because  the  induction  hypothesis,  for 
index  -  i+1,  states  that  the  first  i-1  array  elements  are  unchanged. 

Because  index  =  i  and  (sfacA[i- 13  JtacACi])  -  (a-1  A(a  6-i))  <  (a  6),  we  can  apply  the  induction 
hypothesis  once  more  [taking  a'  to  be  a-I  and  V  to  be  A  (a  6-1)3,  to  obtain  that 

sometime  index  »  i-1,  srocA[la-23  -  s, 

and  siacA[i-l]  -  A(a-1  A  (a  6-1))  at  more, 

which  is  the  desired  conclusion  in  this  case. 

This  completes  the  intermittent-assertion  proof  of  the  total  correctness  of  the  Ackermann 
program;  we  believe  it  reflects  our  understanding  of  the  way  the  program  works.  The 
invariant-assertion  proof  of  the  partial  correctness  is  quite  natural;  at  each  iteration  it  can  be 
shown  that 

A(siacA[l3  A(siacA[2]  -  A(jfac6[inckx-1]  stacklindex])...))  •  A(*0  y0) 
at  more  and,  when  the  program  terminates,  that 
stack  [13  -  A(*0  y0). 

On  the  other  hand,  the  known  proofs  of  the  termination  of  this  iterative  program  using  the 
conventional  well-founded  ordering  method  are  extremely  complicated,  and  we  challenge  the 
intrepid  reader  to  construct  such  a  proof. 


12 


Manna  &  Waldinger 

3.  The  greatest  common  divisor  of  two  numbers 

In  the  previous  two  examples,  we  have  applied  the  intermittent-assertion  method  to  programs 
involving  only  one  loop.  The  following  program,  which  computes  the  greatest  common  divisor 
( gcd )  of  two  positive  integers,  is  introduced  to  show  how  the  intermittent-assertion  method  is 
applied  to  a  program  with  a  more  complex  loop  structure. 

We  define  gcd(x  y),  where  x  and  y  are  positive  integers,  as  the  greatest  integer  that  divides  both 
x  and  y,  that  is, 

gcd(x  y)  -  max{u  :  u\x  and  u|y}. 

For  instance,  gcd{ 9  12)  -  3  and  gcd( 12  25)  *  1. 

The  program  is 

input(%  y) 

start: 

■  more .  if  x  -  y 

then  finish:  output(y) 
else  reducex :  if  x>  y 

then  x  <-  x-y 

goto  reducex 
reducey:  if  y  >  x 

-  then  y  <-  y-x 

goto  reducey 

goto  more. 

This  program  is  motivated  by  the  properties  of  the  gcd  that 

gcd(x  y)  -  y  if  x  »  y, 

gcd(x  y)  -  gcd(x-y  y)  if  x  >  y,  and 

gcd(x  y)  »  gcd(x  y-x)  if  y  >  x. 

We  would  like  to  use  the  intermittent-assertion  method  to  prove  the  total  correctness  of  the  gcd 
program.  The  total  correctness  can  be  expressed  as  follows: 

Theorem:  if  sometime  x  =  a,  y  =  b  and  aj>  >  0  at  start 

then  sometime  y  -  gcd{a  b)  at  finish. 

To  prove  this  theorem,  we  need  a  lemma  that  describes  the  internal  behavior  of  the  program. 
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Lemma:  if  sometime  x  -  a,  y  -  b,  and  a  >  b  >  0  at  reducex 

or  sometime  *  -  a,  y  =  b,  and  b  >  a  >  0  at  reducey 
then  sometime  y  -  gcd(a  b)  at  finish. 

To  show  that  the  lemma  implies  the  theorem,  we  assume  that 

sometime  x  =  a,  y  =  b,  and  a,b  >  0  at  start. 

We  must  distinguish  between  three  cases. 

Case  a  -  b:  Control  passes  directly  to  finish.  Thus 

sometime  y  «  b  at  finish. 

But  because  in  this  case  b  -  gcd(a  b),  by  a  given  property  of  the  gcd,  we  have  y  -  gcd{a  b)  at 
finish. 

Case  a  >  ir.  Control  passes  directly  to  reducex,  so 

sometime  x  -  a,  y  ■  b,  and  a  >  b  >  0  at  reducex. 

The  lemma  then  asserts  that 

sometime  y  *■  gcd(a  b)  at  finish. 

Case  b  >  a:  Here,  control  passes  directly  to  reducey,  so  that 
sometime  x  -  a,y  -  b  and  b  >  a  >  0  at  reducey. 

Again,  the  lemma  yields  the  desired  result. 

The  proof  of  the  lemma  proceeds  by  induction  on  a+6.  We  suppose 

sometime  x  »  a,  y  <*  b,  and  a  >  b  >  0  at  reducex 
or  sometime  x  -  a,  y  *  b,  and  b  >  a  >  0  at  reducey. 

We  assume  inductively  that  the  lemma  holds  whenever  x  -  <£  and  y  «  V,  where  o'  +  V  <  a  +  b, 
and  show  that 

sometime  y  -  gcd(a  b)  at  finish. 

The  hypothesis  of  the  lemma  is  a  disjunction  of  two  possibilities.  We  consider  each  possibility 
separately. 
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First,  suppose 

sometime  x  »  a,  y  -  b,  and  a  >  b  >  0  at  redticex. 

Here  control  passes  around  the  top  inner  loop,  so  that 
sometime  x  *  a-b  and  y  *  b  at  redticex. 

For  simplicity,  let  us  denote  a-b  and  b  by  a'  and  V,  respectively.  Note  that 
a',  b’>  0 

a'  +  b'  <  a  *  b,  and 

gcd(a'  b')  -  gcd(a-b  b)  -  gcd(a  b). 

This  last  condition  follows  by  a  given  property  of  the  gcd.  We  now  distinguish  between  three 
cases. 

Case  a’  «  b Control  passes  directly  to  finish,  so 

sometime  y  »  gcd(a'  b')  -  gcd(a  b)  at  finish. 

Case  a'  >  b’:  Here 

sometime  x  -  a',  y  -  b\  and  a'  >  V  >  0  at  redticex. 

Because  a'  ♦.  b'  <  a  *  b,  we  can  apply  the  induction  hypothesis  to  deduce  that 
sometime  y  »  gcd(a'  b ’)  -  gcd(a  b)  at  finish. 

Case  b’  >  a':  Control  passes  to  redticey  and  we  can  apply  the  induction  hypothesis  in  the  same 
way. 

The  second  possibility  from  the  hypothesis  of  the  lemma,  that 
sometime  x  ■  a,  y  -  b,  and  b  >  a  >  0  at  redticey, 

is  disposed  of  in  a  symmetric  manner.  This  completes  the  proof  of  the  total  correctness  of  the 

Scd. 

It  is  not  difficult  to  prove  the  partial  correctness  of  the  above  program  using  the  conventional 
invariant-assertion  method.  For  instance,  to  prove  that  the  program  is  partially  correct  with 
respect  to  the  input  specification 
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x0  >  0  and  y0  >  0 
and  output  specification 
y  -  gcd(x  o  y0) 

(where  x0  and  y0  are  the  initial  values  of  x  and  y)  we  can  use  the  same  Invariant  assertion 
x,y  >  0  and  gcd(x  y)  -  gcd{x0  y0) 
at  each  of  the  labels  more,  reducex  and  reducey. 

In  contrast,  the  termination  of  this  program  is  awkward  to  prove  by  the  conventional 
well-founded  ordering  method,  because  it  is  possible  to  pass  from  more  to  reducex,  reducex  to 
reducey,  or  from  reducey  to  more  without  changing  any  of  the  program  variables.  One  of  the 
simplest  proofs  of  the  termination  of  the  gcd  program  by  this  method  involves  taking  the 
well-founded  set  to  be  the  pairs  of  nonnegative  integers  ordered  by  the  regular  lexicographic 
ordering.  When  the  expressions  corresponding  to  the  loop  labels  are  taken  to  be 

(x*y  2)  at  more, 

if  x  *  y  then  (x*y  1)  else  (x*y  i)  at  reducex,  and 

if  x  <  y  then  (x+y  0)  else  (x+y  2)  at  reducey, 

it  can  be  shown  that  their  successive  values  decrease  as  control  passes  from  one  loop  label  to  the 
next  (Katz  and  Manna  [1975]).  Although  this  method  is  effective,  it  is  not  the  most  natural  in 
establishing  the  termination  of  the  gcd  program. 
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III.  Relation  to  Conventional  Proof  Techniques 

One  question  that  naturally  arises  in  presenting  a  new  proof  technique  is  its  relationship  to  the 
more  conventional  methods.  In  the  previous  section  we  have  seen  examples  of 
intermittent-assertion  proofs  of  correctness  and  termination  that  are  simpler  than  any  known 
conventional  counterparts.  In  this  section  we  will  show  that  the  reverse  is  never  the  case;  in 
fact,  we  can  directly  rephrase  any  partial-correctness  proof  using  the  invariant-assertion 
method  as  an  intermittent-assertion  proof.  The  same  result  applies  to  another  standard 
partial-correctness  proof  technique,  the  "subgoal  assertion  method".  Furthermore,  we  will  show 
that  any  termination  proof  using  the  well-founded  ordering  method  can  also  be  expressed 
using  intermittent  assertions  instead.  Therefore,  we  can  always  use  the  intermittent-assertion 
method  in  place  of  the  established  techniques. 

In  order  to  characterize  the  conventional  techniques  precisely,  we  find  it  convenient  to  introduce 
some  new  notations,  which  are  described  more  fully  in  Manna  [1974].  Let  x  be  a  complete  list 
of  the  variables  of  a  given  program,  and  let  x0  denote  their  initial  values.  Suppose  that  we 
have  designated  a  special  set  of  labels  Lq,  Lj,  ~,  L^,  where  L0  and  are  the  program’s 

entrance  {start)  and  exit  {finish )  respectively.  It  is  assumed  that  each  of  the  program’s  loops 
passes  through  at  least  one  of  the  designated  labels.  A  path  between  two  designated  labels  is 
said  to  be  basic  if  it  does  not  pass  through  any  designated  label  (except  at  its  endpoints).  For 
each  basic  path  o  from  label  Lj  to  Lj,  we  let  tj,x)  denote  the  condition  that  must  hold  for 

control  to  pass  from  Lj  along  path  a  to  Lj,  and  we  let  gjix)  be  the  transformation  of  the  values 
of  x  effected  in  traversing  the  path  a.  Thus,  if  x  -  a  at  Lj,  and  condition  tu{a)  holds,  then 
control  will  pass  along  path  a,  reaching  Lj  with  x  -  g^{a). 

Let  us  consider  a  single  computation  of  the  program  for  some  particular  input  x0.  The 
ordering  >x  induced  by  the  computation  is  defined  as  follows: 

(a  i)  >x  {b  j) 

*o 

if  control  passes  through  Lj  with  x  -  a  and  then  eventually  reaches  L j  with  x  -  b.  It  is 

important  to  note  that  different  computations  of  the  same  program,  corresponding  to  different 
input  values,  induce  different  orderings. 

If  a  particular  computation  of  the  program  terminates,  the  ordering  induced  by  the  computation 
will  be  well-founded;  for  then  the  computation  will  be  finite,  and  the  ordering  it  induces  will 
have  no  infinite  decreasing  sequences. 
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The  above  ordering  enables  us  to  apply  the  intermittent-assertion  method  to  prove  partial 
correctness,  even  though  the  method  is  basically  a  total-correctness  technique.  In  proving 
partial  correctness,  we  only  consider  computations  of  the  program  that  are  assumed  to  terminate. 
The  orderings  induced  by  these  computations  are  therefore  well-founded,  and  can  serve  as  the 
basis  for  the  induction  in  an  intermittent-assertion  proof. 

Now  let  us  see  how  the  concepts  we  have  introduced  allow  us  to  rephrase  an 
invariant-assertion  proof  of  the  partial  correctness  of  a  program  as  an  intermittent-assertion 
proof. 


1.  Invariant-assertion  method 

Suppose  that  we  have  used  the  invariant-assertion  technique  to  prove  that  a  program  is 
partially  correct  with  respect  to  some  input  specification  P(x0)  and  output  specification  R(x0  *)• 
Then  we  have  a  set  of  invariant  assertions  Q0(x0  x),  Q,(x0  x),  ....  Q^(x0  x)  corresponding  to  the 
designated  labels  L0,  Lf,  _,  L^,  for  which  we  have  proved  that  for  every  x0  and  x: 

0)  P(x0)  ->  Q0(x0  x0) 

(the  input  specification  implies  the  initial  invariant  assertion),  and 
(2)  Qa(x0  x)  ->  R(x0  x) 

(the  final  invariant  assertion  implies  the  output  specification), 
and,  for  each  basic  path  a  from  Lj  to  Lj,  we  have  proved  the  verification  condition 

(3*)  Qj(x0  x)  and  tjx)  =>  Qj(x0  gjx)) 

(the  invariant  assertion  before  the  path  implies  the  invariant  assertion  after). 

Conditions  (1)  and  (3*)  establish  that  each  Qj(x0  x)  is  indeed  an  invariant  assertion  at  Lj;  it  has 
the  property  that  each  time  we  pass  through  Lj,  Qj(x0  x)  will  be  true  for  the  current  value  of  x. 

Condition  (2)  then  implies  that  if  the  program  terminates,  the  desired  output  specification  will 
be  satisfied.  Together,  these  conditions  establish  the  partial  correctness  of  our  program. 

From  the  given  proof  of  the  partial  correctness  of  the  program,  we  can  extract  an 
intermittent-assertion  proof  of  the  same  result.  The  theorem  that  expresses  the  partial 
correctness  in  the  intermittent-assertion  notation  is  as  follows: 
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Theorem:  if  sometime  x  »  x0  and  P(x0)  at  start 

and  the  computation  terminates 
then  sometime  R(x0  x)  at  finish. 

This  theorem  expresses  the  partial  correctness  of  the  program,  because  it  includes  the  explicit 
assumption  that  the  computation  terminates.  Given  the  Qj(x0  x)  from  the  invariant-assertion 

proof,  we  can  construct  the  following  lemma,  which  will  enable  us  to  prove  the 
partial-correctness  theorem: 

Lemma:  for  every  i,  OsiSA, 

if  sometime  x  -  a  and  Q^(x0  a)  at  Lj 

and  the  computation  terminates 
then  sometime  R(x0  x)  at  finish. 

To  prove  that  the  lemma  implies  the  theorem,  assume 

sometime  x  =x0  and  P(x0)  at  start 
and  the  computation  terminates. 

Our  in  variant- assertion  proof  includes  a  proof  of  (1),  that  P(x0)  ->  Qo(x0  x0).  That  proof  can 
be  incorporated  here,  to  yield 

sometime  x  -  x0  and  Q0(x0  x0)  at  L0 
and  the  computation  terminates, 

(because  L0  is  identical  to  start).  Taking  i  -  0  in  the  lemma,  we  may  deduce 

sometime  R(x0  x)  at  finish, 

which  is  the  desired  conclusion  of  the  theorem. 

To  prove  the  lemma,  we  suppose 

sometime  x  «*  a  and  Qj(x0  a)  at  Lj 
and  the  computation  terminates, 

for  some  i  between  0  and  h  The  proof  is  by  induction  on  the  ordering  >x  induced  by  the 

computation.  This  ordering  is  well-founded  because  the  computation  has  been  assumed  to 

terminate.  Thus,  we  assume  inductively  that  the  lemma  holds  whenever  x  »  a'  at  L^,  where 

(a  i)  >x  ( a '  i'). 

*o 
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The  proof  distinguishes  between  two  cases. 

If  i  ■*  h,  we  have  supposed  that 

sometime  x  -  a  and  Q^(x0  «)  at  L^. 

Incorporating  the  proof  of  (2)  and  recalling  that  Lyj  is  finish,  we  have 
sometime  R(x0  x)  at  finish, 
which  is  the  desired  conclusion  of  the  lemma. 

On  the  other  hand,  if  0  S  i  <  h,  control  must  follow  some  basic  path  a  to  a  designated  label  Lj. 
For  this  path,  tja)  must  be  true,  and  x  -  gj.a)  when  control  reaches  L j.  Because  Q^x0  a)  and 
tj^a)  are  true,  we  can  reproduce  the  proof  of  (3«.)  to  deduce  that  Q^<x0  gjfl))  is  true.  Thus 

sometime  x  -  gj,a)  and  Qj(x0  gj,a))  at  Lj. 

Because  (a  i)  igjia)  j)  ty  the  definition  of  the  ordering  induced  by  the  computation,  and 

because  the  computation  has  been  assumed  to  terminiate,  we  can  apply  our  induction 
hypothesis  to  yield 

sometime  R(x0  x)  at  finish. 

This  completes  the  proof  of  the  lemma. 

We  have  thus  constructed  an  intermittent- assertion  proof  of  the  partial  correctness  of  the 
program,  assuming  that  we  were  given  an  invariant-assertion  proof.  In  the  next  section  we  will 
Indicate  how  the  same  procedure  can  be  applied  to  subgoal-assertion  proofs. 


2.  Subgoal-assertion  method 

The  invariant-assertion  approach  always  relates  the  current  values  of  the  program  variables  to 
their  initial  values.  Another  approach  for  proving  partial  correctness,  the  sub  goal-assertion 
method,  relates  these  variables  to  their  ultimate  values  when  the  program  halts.  We  will  first 
present  the  method,  and  then  show  as  before  that  if  we  have  proved  the  partial  correctness  of  a 
program  using  this  method,  then  we  can  rephrase  the  same  proof  with  intermittent  assertions 
instead. 
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Suppose  now  that  we  have  used  the  subgoal-assertion  method  to  prove  that  a  program  is 
partially  correct  with  respect  to  some  input  specification  P(x0)  and  output  specification  R(x0  x). 

Then  we  have  a  set  of  subgoal  assertions  Q*0(x  *A).  ®  'i(x  xh)<  Q*A(*  *A)  corresponding  to  the 

designated  labels  L0,  Lj,  -.,  LA,  with  the  intuitive  meaning  that  Q’^x  xA)  must  hold  for  the 
current  value  of  x  as  control  passes  through  L£  and  the  ultimate  value  xA  of  x  when  the 
computation  halts.  For  these  assertions  we  have  proved  that  for  every  x0,  x  and  xA: 

(1*)  Q  **> 

(the  final  subgoal  assertion  always  holds  for  the  final  value  of  x),  and 
(2*)  P(x0)  and  Q*0(x0  xA)  ->  R(x0  xA) 

(the  input  specification  and  the  initial  subgoal  assertion  imply  the  output 
specification), 

and,  for  each  basic  path  a  from  L£  to  Lj,  we  have  proved  the  verification  condition 
(3**)  a*/g«(x)  xA)  and  tjx)  =>  Q*£(x  xA) 

(the  subgoal  assertion  after  the  path  implies  the  subgoal  assertion  before). 

The  subgoal-assertion  method  works  backward  through  the  computation,'  whereas  the 
invariant-assertion  method  works  forward.  Condition  (1*)  implies  that  the  final  subgoal 
assertion  always  holds.  Conditions  (3*^)  say  that  if  the  appropriate  subgoal  assertion  holds 
when  control  reaches  the  end  of  a  path,  then  the  corresponding  subgoal  assertion  holds  when 
control  is  at  the  beginning  of  the  path.  If  the  program  does  terminate,  conditions  (I*)  and 
(3**)  imply  that  each  Q*£(x  xA)  is  indeed  a  subgoal  assertion  at  L£;  it  has  the  property  that  each 

time  we  pass  through  L£,  Q*£(x  xA)  will  be  true  for  the  current  value  of  the  program’s  variables, 

x,  and  its  ultimate  value,  xA.  Condition  (2*)  then  implies  that  if  the  program  terminates,  the 

desired  output  specification  will  be  satisfied.  Together,  these  conditions  imply  the  partial 
correctness  of  the  given  program. 

To  contrast  the  invariant-assertion  and  the  subgoal-assertion  method,  let  us  consider  a  simple 
program  to  compute  the  gcd: 
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input(x  y) 

start: 

more:  if  x-0 

then  finish:  output^) 
else  (x  y)  <-  (rem(y  x)  x) 
goto  more. 

To  show  that  this  program  is  partially  correct  with  respect  to  the  input  specification 
P(*0  yo) :  *o  >  0  and  y0  >  0, 
and  the  output  specification 

R<*0  yo  y)-y-  gcd{x  o  y0), 
we  can  employ  the  invariant-assertions 

Qstartte o  yoxy)  2  P<*o  y0)  =  *o  >  0  and  yQ  >  0 
Qmore(x0  yo  x  y) :  x  2  0  and  y  >  0  and  gcd(x  y)  .  gcd(x0  yQ) 

^ finish^ yo*y)  5  R(*o y<hy)-ya  g«K*o yo > • 

On  the  other  hand,  to  prove  the  same  result  by  the  subgoal- assertion  method,  we  can  use  the 
subgoal  assertions 

Q*jr<zrr<*  y  yd :  x  * 0  and  y >  0  ->  yh  -  gcd{*  ?) 

^moreb  y  ?A> :  x  *  0  and  y  >  0  ->  H  *  Scd^x  ?> 

^ finish^  y  y  h} -y^yh- 

The  reader  may  observe  that  the  invariant  assertions  relate  the  program  variables  x  and  y  with 
their  initial  values  x0  and  y0  and  the  subgoal  assertions  relate  the  programs  variables  with  the 
ultimate  final  value  of  y,  y^. 

Let  us  return  to  the  general  case.  From  a  given  subgoal-assertion  proof  of  the  partial 
correctness  of  a  program,  we  can  mechanically  paraphrase  the  argument  as  an 
intermittent-assertion  proof,  just  as  we  did  for  the  invariant-assertion  method. 
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The  theorem  that  expresses  the  partial  correctness  of  the  program  is  again: 

Theorem:  if  sometime  x  «  x0  and  P(xg)  at  start 

and  the  computation  terminates 
then  sometime  R(xq  x)  at  finish. 

The  lemma  that  we  will  use  in  proving  the  theorem,  however,  is  different  from  the  lemma  in 
the  invariant-assertion  case 

Lemma:  for  every  i,  0  <  i  5  A 

if  sometime  x  •  a  at 

and  the  computation  terminates 
then  sometime  Q*j(a  sr)  at  finish  . 

To  construct  a  proof  that  the  lemma  implies  the  theorem,  we  take  i  »  0  and  extract  the 
justification  for  Condition  (2*)  from  the  given  subgoal  assertion  proof. 

The  proof  of  the  lemma  is  constructed  in  a  way  analogous  to  the  earlier  invariant-assertion 
case.  Induction  is  again  based  on  the  ordering  induced  by  the  computation.  When  i  -  h 

we  use  the  proof  of  Condition  (1*),  and  if  0  £  i  <  h  we  use  the  inductive  hypothesis  and  the 
proof  of  (3**). 

We  have  remarked  that  the  invariant-assertion  method  relates  the  current  values  of  the 
program  variables  to  their  initial  values,  whereas  the  subgoal-assertion  method  relates  the 
current  values  to  their  final  values.  The  intermittent-assertion  technique  can  imitate  both  of 
these  methods  because  it  can  relate  the  values  of  the  program  variables  at  any  two  stages  in  the 
computation. 


3.  Well-founded  ordering  method 

The  above  constructions  enabled  us  to  mirror  conventional  partial-correctness  proofs  using 
intermittent  assertions.  In  fact,  we  can  also  use  the  intermittent-assertion  method  to  express 
conventional  termination  proofs  that  use  the  well-founded  ordering  approach. 

Suppose  that  we  have  used  the  well-founded  ordering  approach  to  prove  the  termination  of  a 
given  program  with  respect  to  some  input  specification  P(x0).  Then  we  have  found  a 
well-founded  ordering  >  over  a  set  W,  and  for  some  set  of  designated  labels  L0,  L|,„.,  L^,  we 
have  found  a  set  of  invariant  assertions  Q0(xo  *)•  Qi(*o  *)•  -*  Q^(x0  *)  1/111  a  set  expressions 
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E0(x0  *)»  Ei(*o  *).  E^(x0  *)  for  which  we  have  proved  the  following  conditions  for  every  x0 

and  x: 


(1)  P(x0)  ->  Q0(*o  *o) 

(the  input  specification  implies  the  initial  invariant  assertion), 

(2J  Q;(x0  x)  and  tjx)  «>  (L(x0  gjx))  for  every  basic  path  a  from  Lj  to  Lj 

(the  invariant  assertion  before  the  path  implies  the  invariant  assertion  after), 

(3;)  Qj(x0  x)  m>  Ej(x0  x)  e  W  for  each  label  Lj 

(the  value  of  the  expression  belongs  to  W  when  control  passes  through  Lj),  and 
(4j  Qj(x0  x)  and  tjx)  ->  Ej(x0  x)  >  Ej(x0  gjx)) 
for  every  basic  path  a  from  Lj  to  Lj 

(as  control  passes  from  Lj  to  Lj,  the  value. of  the  corresponding  expression  is  reduced). 

The  above  conditions  establish  the  termination  of  the  program.  Conditions  (1)  and  (2<*)  ensure 
that  each  Qj(x0  x)  is  indeed  an  invariant  assertion  at  Lj:  whenever  control  passes  through  Lj, 
assertion  Qj(x0  x)  is  true  for  the  current  value  of  x.  Condition  (3)  then  tells  us  that  each  time 
control  passes  through  Lj,  the  value  of  the  expression  Ej(x0  x)  belongs  to  W. 

Now,  suppose  that  Conditions  (l)-(4)  are  satisfied  but  the  program  does  not  terminate  for  some 
input  x0  satisfying  the  input  specification  P(x0).  Control  then  passes  through  an  infinite 
sequence  of  designated  labels;  the  values  of  the  corresponding  expressions  Ej(x0  x)  constitute  an 

infinite  sequence  of  elements  of  W.  Condition  (4)  then  implies  that  this  is  a  decreasing 
sequence  under  the  well-founded  ordering,  thereby  contradicting  the  definition  of  a 
well-founded  set.  Conditions  (l)-(4)  therefore  suffice  to  establish  the  termination  of  the  given 
program. 

It  is  our  task  to  transform  a  proof  by  the  above  method  into  an  intermittent-assertion  proof  of 
the  termination  of  the  program.  The  following  theorem  expresses  the  desired  property 

Theorem:  if  sometime  x  -  x0  and  P(x0)  at  start 

then  sometime  at  finish  . 
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Recall  that  "sometime  at  finish"  expresses  the  termination  of  the  program  in  the 
intermittent-assertion  notation.  We  can  prove  this  theorem  by  establishing  the  following 
lemma 


Lemma:  for  every  i,  0  s  i  s  h 

if  sometime  x  -  a  and  Qj(x0  a)  at  Lj 

then  sometime  at  finish  . 

To  construct  a  proof  that  the  lemma  implies  the  theorem,  we  take  £  to  be  0  in  the  lemma  and 
incorporate  the  given  proof  of  Condition  (1)  into  the  intermittent-assertion  proof  of  the 
theorem. 


To  prove  the  lemma  we  use  induction  over  the  same  well-founded  ordering  >  that  we 
employed  in  the  given  termination  proof.  Suppose  that 

sometime  x  »  a  and  Qj(x0  a)  at  Lj 

for  some  designated  label  Lj.  We  assume  inductively  that  the  lemma  holds  whenever  x  -  a'  and 
Qj^x0  a’)  at  Lj.,  where  Ej(x0  a)  >  E^Xq  a').  If  i  -  h,  termination  has  already  occurred. 
Otherwise,  control  must  follow  some  path  a  from  Lj  to  Lj,  i.e.  tjfl)  is  true.  Thus 


sometime  x  »  gjja)  at  Lj  . 

Because  both  Qj(w0  a)  and  hold,  the  proof  of  Condition  (2)  enables  us  to  deduce 

£«*(<*))•  The  proof  of  Condition  (3)  can  be  incorporated  to  yield 

Ej(x0  a)  €  W  and  Ej(x0  gja))  e  W  , 

because  both  Qj(x0  a )  and  Qj(x0  gjia))  are  true.  By  Condition  (4)  then,  we  have 
£j(x0  a)  >  Ej(x0  gja)) . 


We  can  now  use  the  induction  hypothesis,  with  f  -  j  and  a'  -  gj,a),  yielding  the  desired 
conclusion 


sometime  at  finish. 

In  this  section  we  have  shown  how  proofs  by  the  conventional  methods  for  establishing  partial 
correctness  and  termination  of  programs  may  be  translated  into  intermittent-assertion  proofs  of 
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the  same  results.  The  translation  process  is  purely  mechanical  and  does  not  increase  the 
complexity  of  the  proof.  For  this  reason  we  can  conclude  that  in  employing  the 
intermittent-assertion  method  we  have  not  lost  any  of  the  power  of  the  existing  methods. 

Is  it  possible  that  a  similar  translation  could  be  performed  in  the  other  direction?  For 
example,  couldn’t  we  devise  a  procedure  for  translating  any  partial-correctness  proof  by  the 
intermittent-assertion  method  into  a  conventional  invariant-assertion  proof  of  comparable 
complexity?  We  believe  not.  We  have  seen  no  invariant-assertion  proof  for  the  tips  program 
that  does  not  require  consideration  of  the  sum  of  the  tips  of  all  the  elements  in  the  stack.  We 
have  seen  no  termination  proof  of  the  iterative  Ackermann  program  by  the  conventional 
method  that  employs  such  a  simple  well-founded  ordering  as  the  intermittent-assertion  proof. 
Without  formulating  a  precise  notion  of  the  "complexity”  of  a  proof,  we  cannot  argue  rigorously 
that  the  intermittent-assetion  method  is  strictly  more  powerful  than  the  conventional  methods, 
but  our  experience  and  our  intuition  lead  us  to  maintain  that  this  is  so. 
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IV.  Application:  Validity  of  Transformations  That 
Eliminate  Keoursion 

In  discussing  the  tips  program  (Section  II- 1)  we  remarked  that  part  of  the  difficulty  in  proving 
the  correctness  of  the  program  arose  because  the  program  was  developed  by  introducing  a  stack 
to  remove  the  recursion  from  the  original  definition.  It  has  been  argued  (e.g.  Knuth  [1974], 
Burstall  and  Darlington  [1975],  Gerhart  [1975])  that,  in  such  cases,  we  should  first  prove  the 
correctness  of  the  original  recursive  program,  and  then  develop  the  more  efficient  iterative 
version  by  applying  one  or  more  transformations  to  the  recursive  one.  These  transformations 
are  intended  to  increase  the  efficiency  of  the  program  (at  the  possible  expense  of  clarity)  while 
still  maintaining  its  correctness. 

If  we  were  applying  this  methodology  in  producing  our  tips  program,  therefore,  we  would  first 
prove  the  correctness  of  the  recursive  version  (a  trivial  task,  since  that  version  is  completely 
transparent);  we  would  then  develop  the  iterative  lips  program  by  systematically  transforming 
the  recursive  program  -  removing  its  recursion  and  introducing  a  stack  instead.  Consequently, 
the  proof  we  presented  in  Section  II  would  be  completely  unnecessary,  since  the  program  would 
have  been  produced  by  applying  to  a  correct  recursive  program  a  sequence  of  transformations 
that  are  guaranteed  not  to  change  that  program’s  specifications. 

To  realize  such  a  plan,  however,  we  must  be  certain  that  the  transformations  we  use  are  valid; 
i.e.  that  they  actually  do  produce  a  program  equivalent  to  the  original  one.  Given  the  same 
input,  the  two  programs  must  be  guaranteed  to  return  the  same  output.  In  other  words,  we 
must  be  certain  that  bugs  cannot  be  introduced  during  the  transformation  process. 

In  this  section  we  will  illustrate  how  intermittent  assertions  can  be  employed  to  establish  the 
validity  of  such  transformations.  We  will  present  the  intermittent-assertion  proof  of  the 
validity  of  a  transformation  that  removes  a  recursion  by  introducing  a  stack.  This 
transformation  could  have  been  used  to  produce  our  iterative  tips  program  from  its  recursive 
definition. 

Suppose  we  have  a  recursive  program  of  form 

F(x)  <=■  if  p(x) 

then  fix) 

else  A(F(g|(sc))  F(g2(x))). 

(For  simplicity,  let  us  assume  that  p,f,  gj,  g2  and  h  are  defined  for  all  arguments).  If  we  know 
that 
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( 1)  h(u  h(v  w))  =  h(h(u  v)  w)  for  every  u,  v  and  w 

( A  is  associative),  and 

(2)  A(e  u )  s>  u  for  every  u 

(e  is  a  left  identity  of  A), 

then  we  can  transform  our  program  into  an  equivalent  iterative  program,  of  form 
input(x) 

start:  stack  (x) 

z  *-  e 

more:  if  stack  -  () 

then  finish;  output(z) 
else  if  p(head{stack)) 

then  z  «-  A(z  J{head{stack))} 
stack  *-  tail{stack) 
goto  more 

else  first  «-  head(slack ) 

stack  <-  g] (first)  •  igifirst)  •  tai/(sraci)] 
goto  more 

The  validity  of  this  transformation  is  expressed  by  the  following  two  theorems. 

Theorem  i:  if  sometime  x  -  a  at  start 
and  F (a)  is  defined 
then  sometime  z  »  F(a)  at  finish. 

and 

Theorem  2:  if  sometime  x  =  a  at  start 

and  the  iterative  computation  terminates 
then  F (a)  is  defined. 

Theorem  1  contains  the  condition  that  F (a)  is  defined  (that  the  recursive  computation  of  F  with 
input  a  will  terminate).  This  condition  is  necessary  for,  otherwise,  the  iterative  program  will 
not  terminate,  and  therefore  control  will  never  reach  finish  at  all.  If  we  succeed  in  proving 
Theorem  1,  we  will  have  established  that  the  iterative  program  terminates  whenever  the 
original  recursive  program  does,  and  returns  the  same  output;  in  other  words,  the  iterative 
program  computes  an  extension  of  the  function  computed  by  the  recursive  program,  rather  than 
the  exact  same  function.  Theorem  2  shows  that  the  recursive  program  halts  whenever  the 
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iterative  program  does.  Together,  Theorems  1  and  2  imply  that  the  recursive  and  iterative 
programs  are  equivalent.  The  proof  of  Theorem  1  is  analogous  to  the  proof  of  the  total 
correctness  of  the  tips  program;  it  can  be  proved  using  the  following  lemma; 

Lemma  i:  if  sometime  z  -  c  and  stack  -  a>s  at  more 
and  F(a)  is  defined 

then  sometime  z  -  h(c  F(a))  and  stack  -  s  at  more. 

To  show  that  the  lemma  implies  Theorem  1,  assume 
sometime  at  start 

and  that  F(a)  is  defined.  Then  immediately  control  passes  to  more,  so  that 
sometime  z  -  e  and  stack  -  (a)  -  a*  ()  at  more. 

By  the  lemma  [taking  c  to  be  e  and  s  to  be  ()3,  we  have 
sometime  z  -  h{e  F (a))  and  stack  «  ()  at  more. 

But  h(e  F(<z))  -  F(a)  by  Property  (2),  that  e  is  a  left  identity  of  A.  Because  stack  is  (),  control 
passes  to  finish,  and  We  deduce 

sometime  z  -  F(a)  at  finish, 

which  is  the  desired  conclusion  of  the  theorem. 

To  prove  the  lemma,  suppose 

sometime  z  -  c  and  stack  -  a>s  at  more, 

where  F(a)  is  defined.  The  proof  employs  complete  induction  on  a,  over  the  ordering  >a 
induced  by  the  recursive  computation  of  F(a).  This  is  the  ordering  such  that 

d>a<C, 

where  a  call  F(rf)  occurs  in  the  computation  of  F(d),  and  F (<f)  is  called  recursively  during  the 
computation  of  F (d).  (We  include  the  possibility  that  d  -  a.)  In  particular,  d  >a  g,(d)  and 

d  >a  gz(d),  if  a  call  F {<£)  occurs  in  the  computation  of  F(a).  This  ordering  >a  is  clearly 
transitive  and  can  be  shown  to  be  well-founded  because  the  computation  of  F(<z)  terminates. 
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We  will  assume  inductively  that  the  lemma  holds  whenever  z  »  d  and  stack  -  a'- s',  where  a  >a 
a '  in  the  ordering  >a  induced  by  the  recursive  computation  of  F(a),  and  show  that  it  holds 

when  z  ■»  c  and  stack  -  a*j  as  well.  We  distinguish  between  two  cases,  depending  on  the  truth 
of  p(a). 

Case  p(a)  is  true;  Then  F(a)  -  f{a),  by  the  recursive  definition  of  F.  Because  a  is  at  the  head 
of  the  stack ,  the  stack  is  not  empty  and  p{head(stack))  is  true;  therefore  we  follow  the  then 
branch  of  the  program,  so  that 

sometime  z  -  h(c  f{a))  and  stack  -  s  at  more. 

But  j{a)  »  F(a),  so  we  have 

sometime  z  -  A(e  F{a))  and  stack  «  s  at  more, 

which  is  the  desired  conclusion; 

Case  p(a)  is  false:  Here  F(a)  -  h(F{gx(a))  F(g2(a))),  by  the  recursive  definition  of  F.  Note  that 
F (a)  is  defined;  therefore  F(g|(a))  and  F(gz(a))  are  also  defined.  Because  stack  is  not  empty  and 
p{head{stack ))  is  false,  control  follows  the  else  branch  of  the  loop  body,  so  that 

sometime  z  =*  c  and  stack  -  g|(a).[g2(a)« j]  at  more. 

Recall  that  a  >a  g;(a);  therefore  we  can  apply  the  induction  hypothesis  [taking  d  to  be  c,  a'  to 
be  g\ (a),  and  s'  to  be  g2(a)-s]  to  obtain 

sometime  z  -  h(c  F(gj(a)))  and  stack  *  gz(a)‘S  at  more. 

Because  a  >a  g2(a),  we  can  apply  the  induction  hypothesis  a  second  time  [taking  <?  to  be 
h{c  F(g](a))),  a'  to  be  g2(a),  and  s'  =  si  We  derive 

sometime  z  »  A(A(c  F(gj(a)))  F(g2(a)))  and  stack  **  s  at  more. 

By  the  associativity  of  A  (Property  (1)),  and  the  recursive  definition  of  F,  we  have 

A(A(c  F(g,(a)))  F(gz(a)))  -  A(c  A(F(g|(a))  F(g2(a))))  *  h(c  F(a». 

Therefore  we  can  conclude 

sometime  z  »  h(c  F(a))  and  stack  ->  s  at  more, 

completing  the  proof  of  the  lemma. 
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So  far  we  have  only  established  Theorem  1,  that  the  function  computed  by  the  iterative 
program  is  an  extension  of  the  function  computed  by  the  recursive  program.  We  still  need  to 
prove  Theorem  2,  that  if  the  iterative  program  terminates,  then  the  recursive  program  also 
terminates.  This  proof  depends  on  another  lemma. 

Lemma  2:  if  sometime  z  -  c  and  stack  ■  a-s  at  more 
and  the  iterative  computation  terminates 
then  F(a)  is  defined. 

Lemma  2  implies  Theorem  2  directly,  because  the  stack  is  initialized  to  (a)  -  a-Q. 

The  proof  of  the  lemma  employs  induction  over  the  ordering  >Xo  induced  by  the  iterative 
computation  with  intput  Xq.  In  this  ordering,  (c,  Sj)  >Xq  (cz  sz),  where  c,  and  cz  are  successive 

values  of  the  variable  z  at  more,  and  and  j2  are  successive  values  of  the  stack  at  more.  This 
ordering  is  well-founded  if  the  computation  terminates. 

To  prove  the  lemma,  suppose  that 

sometime  z  «  c  and  stack  «  a*  s  at  more, 

and  that  the  iterative  computation  terminates.  We  assume  inductively  that  the  lemma  holds 
whenever  z  «  <?  and  stack  -  a'- s'  where  (c  a>s)  >Xq  (c*  a'- s')  in  the  ordering  induced  by  the 

computation,  and  show  that  F(a)  is  then  defined. 

We  distinguish  between  two  cases. 

Case  p{a )  is  true:  Here  F(a)  -  f(a)  by  the  recursive  program,  and  therefore  F (a)  is  defined. 

Case  p{a)  is  false:  Here  F(a)  -  A(F(g|(a))  F(gz{a))),  by  the  recursive  program.  Since  stack  is  not 
empty  and  p(head(stack))  is  false,  the  iterative  computation  follows  the  else  branch,  so  that 

sometime  z  »  c  and  stack  -  gi(a)*[g2(a)»s]  at  more. 

Because  (c  a >s)  >x  (c  gi(a)‘[g2(a)‘ s])  in  the  ordering  induced  by  the  iterative  computation, 

and  because  the  computation  was  assumed  to  terminate,  we  can  deduce  from  our  induction 
hypothesis  that  F(g](a))  is  defined.  By  Lemma  1,  we  have  that 

sometime  z  -  h{c  F(gt(a)))  and  stack  -  g2(a)‘  s  at  more. 

Again,  by  the  induction  hypothesis,  we  have  that  F(gz(a))  is  defined.  Because  both  F(g](a))  and 
F(g2(a))  are  defined,  and  F(a)  -  A(F(g|(a))  F(g2(a))),  we  can  conclude  that  F(a)  is  defined. 
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We  have  just  shown  the  validity  of  the  transformation  that  was  actually  used  to  produce  the 
iterative  tips  program  in  Section  II- 1.  As  in  that  section,  we  could  have  used  the  conventional 
invariant-assertion  technique  in  the  proof  of  Theorem  1.  However,  although  we  could  employ 

the  standard  notation  to  denote  repeated  applications  of  the  ♦  operation  in  the  tips 

invariant  assertion,  we  would  have  had  to  invent  a  new  notation  to  denote  repeated  application 
of  the  function  h  in  the  invariant  assertion  for  the  iterative  program  here. 

In  the  next  section  we  will  discuss  an  entirely  different  application  of  the  intermittent-assertion 
method. 
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V.  Application:  Correctness  of  Continuously  Operating 
Programs 

Conventionally,  in  proving  the  correctness  of  a  program,  we  describe  its  expected  behavior  in 
terms  of  an  output  specification,  which  is  intended  to  hold  when  the  program  terminates.  Some 
programs,  such  as  operating  systems,  airline-reservation  systems  and  management  information 
systems,  however,  are  never  expected  to  terminate.  Such  programs  will  be  said  to  be 
continuously  operating  (see,  for  example,  Francez  and  Pneuli  (1977]).  The  correctness  of 
continuously  operating  programs  therefore  cannot  be  expressed  by  output  specifications,  but 
rather  by  their  intended  behavior  while  running. 

Furthermore,  we  conventionally  describe  the  internal  workings  of  a  program  with  an  invariant 
assertion,  which  is  intended  to  hold  every  time  control  passes  through  the  corresponding  point 
The  description  of  the  workings  of  a  continuously  operating  program,  however,  often  involves 
a  relationship  that  some  event  A  is  inevitably  followed  by  some  other  event  B.  Such  a 
relationship  connects  two  different  states  of  the  program  and,  generally,  cannot  be  phrased  as  an 
invariant  assertion. 

In  other  words,  the  standard  tools  for  proving  the  correctness  of  terminating  programs, 
input-output  specifications  and  invariant  assertions,  are  not  appropriate  for  continuously 
operating  programs.  The  intermittent-assertion  method  provides  a  natural  complement  here, 
both  as  a  means  for  specifying  the  internal  and  external  behavior  of  these  programs,  and  as  a 
technique  for  proving  the  specifications  correct. 

We  will  use  one  very  simple  example,  an  imaginary  sequential  operating  system,  to  illustrate 
this  point: 

more:  read  {requests) 
setup:  if  requests  -  () 
then  goto  more 

else  (job  requests)  <-  ( head(requests )  tail(requests )) 
execute:  proc ess(job) 
goto  setup. 

At  each  iteration  this  program  reads  a  list,  requests,  of  jobs  to  be  processed.  If  requests  is 
empty,  the  program  will  read  a  new  list,  and  will  repeat  this  operation  indefinitely  until  a 
nonempty  request  list  is  read.  The  system  will  then  process  the  jobs  one  by  one;  when  they  are 
all  processed,  the  system  will  again  attempt  to  read  a  request  list. 

What  we  wish  to  establish  about  this  program  is  that  if  a  job  j  is  read  into  the  request  list,  it 
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will  eventually  be  processed.  Although  this  claim  is  not  representable  as  an  input-output 
specification,  it  is  directly  expressed  in  the  following 

Theorem:  if  sometime  j  e  requests  at  setup 

then  sometime  job  -  j  at  execute. 

Here,  j  e  requests  means  that  j  belongs  to  the  list  of  current  requests. 

To  prove  the  theorem,  assume  that 

sometime  j  e  requests  at  setup. 

Then  requests  is  not  empty  and  is  of  the  form 

«jP, 

where  a  and  (3  are  the  sublists  of  jobs  occuring  before  and  after  j,  respectively,  in  the  request 
list  Our  proof  will  be  by  complete  induction  on  the  structure  of  cc  we  assume  the  theorem 
holds  whenever  requests  is  of  form 

a'jfi, 

for  any  sublist  a’  of  a.  The  proof  distinguishes  between  two  cases 

Case  a  ■»  0:  Then  j  -  head{requests).  Since  requests  x  (),  we  reach  execute  with 
job  -  header equests)  -  j,  satisfying  the  conclusion  of  the  theorem. 

Case  ax  0:  Then  a  -  head(a)‘  tail(a).  Because  again  requests  x  0,  we  process  job  -  head{a),  and 
return  to  setup  with  requests  reset  to  tail{a)  j  0.  Since  tail{a)  is  a  sublist  of  a,  we  can  conclude 
from  our  inductive  assumption  that 

sometime  job  -  j  at  execute, 

as  we  had  hoped. 

This  program  is  very  simple,  but  it  may  serve  to  suggest  how  the  intermittent-assertion  method 
can  be  applied  to  the  more  realistic  examples. 

Note  that  when  we  make  a  statement  of  form 

if  sometime  P  at  L| 
then  sometime  Q  at  L2, 
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we  do  not  necessarily  imply  that  condition  Q  is  satisfied  at  L2  after  condition  P  is  satisfied  at  Lj; 
in  fact,  condition  Q  could  hold  before  condition  P.  Thus,  in  the  above  example,  we  should  be 
perfectly  content  if  some  especially  fast  operating  system  were  able  to  process  the  job  before  it 
was  submitted.  If  we  wanted  to  express  a  specification  that  excluded  such  an  interpretation,  we 
would  have  to  adapt  our  notation  appropriately.  In  fact,  the  proof  techniques  that  we  have 
used  in  this  paper  will  only  allow  us  to  prove  an  implication  of  the  above  form  if  Q  holds  at  Lz 
after  P  holds  at  Lj. 

Throughout  this  paper,  in  proving  an  implication  of  the  above  form,  we  have  tacitly  assumed 
that  conditions  P  and  Q  are  satisfied  at  different  stages  of  the  same  computation.  It  is  possible 
to  relax  this  assumption  and  relate  different  computations  by  extending  our  notation 
appropriately.  We  believe  one  could  then  apply  the  intermittent-assertion  method  to  prove 
properties  of  nondeterministic  and  concurrent  programs  as  well. 
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VI.  Conclusions 

The  intermittent-assertion  method  not  only  serves  as  a  valuable  tool,  but  also  provides  a 
general  framework  encompassing  a  wide  variety  of  techniques  for  the  logical  analysis  of 
programs.  Diverse  methods  for  establishing  partial  correctness,  termination,  and  equivalence  fit 
easily  within  this  framework.  Furthermore,  some  proofs,  naturally  expressed  with  intermittent 
assertions,  are  not  as  easily  conveyed  by  the  more  conventional  methods. 

It  has  yet  to  be  determined  which  phases  of  the  intermittent-assertion  proof  process  will  be 
accessible  to  implementation  in  verification  systems.  If  the  lemmas  and  the  well-founded 
orderings  for  the  induction  are  provided  by  the  programmer,  to  construct  the  remainder  of  the 
proof  appears  to  be  fairly  mechanical.  On  the  other  hand,  to  find  the  appropriate  lemmas  and 
the  corresponding  orderings  may  require  some  ingenuity.  We  believe  that  the 
intermittent-assertion  method  will  have  practical  impact  because  it  allows  us  to  incorporate  our 
intuitive  understanding  about  the  way  a  program  works  directly  into  a  proof  of  its  correctness. 
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